Reality Check: Are You Ready for Section 326?

After meeting with more than 60 U.S. institutions, Deloitte & Touche concludes that the industry remains highly vulnerable. "Know Your Customer" has never mattered more.

As U.S. banks await changes to Section 326 of the USA PATRIOT Act, the proposed regulation is already making a critical impact. Regulators are bringing the full force of the law against institutions that fail to conform. The consequences - multi-million-dollar fines and extensive media exposure - cannot be ignored.

Most banks believe they are in compliance with Section 326, but the headlines belie this assumption. Consider the following news stories: A large offshore institution admits it failed to establish proper anti-money laundering procedures and will pay a steep fine. A local bank is punished for the same offense. A leading private bank settles allegations of inadequate internal controls and record keeping, and submits to costly SEC reviews. Another nationwide organization is accused of violating federal and state laws designed to halt terrorist fund flows.

Regulators believe that banks are largely compliant with the pending rules. However, after meeting with more than 60 U.S. institutions, we have concluded that the industry remains highly vulnerable. In short, "Know Your Customer" has never mattered more.

Our government and fellow citizens expect banks to stop terrorists from exploiting the financial system, and responsibility for this mission has been placed squarely with Boards. Directors must certify compliance with a broad range of expanded security measures. They must approve the Customer Identification Programs their organizations are charged with creating under Section 326. With new accountability comes significant new risk. In fact, directors may be personally liable in the event of noncompliance, and could possibly face criminal charges.

When is Your Bank in Compliance?In gauging a bank's readiness for Section 326, the first question a Board should ask is, "Are we in imminent danger?" The absence of an accepted industry standard for compliance makes this a tough question. The burden falls on each organization to ascertain the level at which it is properly covered and institute appropriate, enforceable screening methods for its own risks.

Directors need to ensure that these policies reflect the actions of peer institutions by determining industry averages and best practices. Some banks have tried utilizing a questionnaire to establish benchmarks for readiness. We believe that such a technique is insufficient; a more objective, controlled approach is required to defend against the setting of unreliable standards.

Compliance Gaps: A Persistent Danger
Banks have historically protected themselves against risk, not fraud. In many institutions, biases in the risk-based approach would enable even known terrorists to gain access to the financial system for debit, credit and brokerage products.

Now, institutions must dramatically broaden their definitions both of customers and accounts to prevent fraudulent activity. Under the fraud-based approach, a customer is defined as anyone affecting the movement of money, and an account is considered any ongoing relationship.

Most banks lack the technology needed to make their Customer Identification Programs truly effective. Many have disparate platforms for the same function, and the new demands of Section 326 are beyond their present capacity.

Ready ... or Not?
No bank is immune from the consequences of noncompliance. Adherence to Section 326 will be closely watched by regulators, and infractions will continue to carry serious penalties. In addition, media scrutiny in the current environment will escalate rather than diminish.

We have identified widespread gaps in security and instances where essential safeguards are nonexistent. The result: ongoing opportunities for terrorists.

Many institutions assume that Section 326 is not an urgent issue, but we believe action should not be delayed. Attaining compliance could be a lengthy and complex process that will be difficult to complete in six or even 12 months due to resource issues. Regardless of the deadline, regulators are likely to encourage early adoption to curb violations, and terrorists probably will want to target financial institutions before new standards are in place.

While the greatest benefit from complying with Section 326 is enhanced protection from terrorist activity, banks stand to gain in other important ways. Mandatory independent reviews of Customer Identification Programs will provide impartial perspective on the comprehensiveness, accuracy, and soundness of security procedures.

Mr. Kuester has 20 years' experience assisting financial institutions with transforming and dramatically improving the performance of their business units.

Terry established and managed the Global Benchmarks Alliance for Banks, a consortium initially involving 28 of the 35 largest banks in the US, Canada, UK and Australia, encompassing more than 350 business units across the globe. The Alliance benchmarks the performance of a variety of industry processes, identifies high performance practices and guides institutions on how to achieve superior performance.

Terry was responsible for transforming and operating a number of key processes for two of the largest credit card institutions in the U.S. under an outsourcing arrangement. Processes included card activation for marketing programs, billing, balance transfers, pre-chargeoff collections and others.

Bob Molloy leads Deloitte & Touche's Operational Risk Management practice for Financial Institutions. Bob's experience includes nine years with Equifax, four years at Deluxe/eFunds and four years with Deloitte.

Over the last year, Bob has initiated USA PATRIOT act review discussions and provided a compliance gap analysis vehicle for over fifty on the nation's largest institutions. The primary focus on these reviews was an assessment for adequacy and appropriateness of the institution's customer identification procedures, information retention and retrievability capabilities, terrorist screening systems and consumer disclosure policies (as promulgated by Section 326 of the USA PATRIOT act).